On Tue, Mar 15, 2005 at 12:45:14AM +0100, Wouter Verhelst wrote:
> On Mon, Mar 14, 2005 at 10:20:00PM +0100, Sven Luther wrote:
> > But you would notice all this just the same if the signing where automated,
> > don't you ?
>
> Possibly; however, it wouldn't buy us much (signing successful build
> logs currently takes me 10 seconds for the first log, and less than a
> second for the next ones thanks to mutt's gpg passphrase caching and a
unless you are on vacation, sick or whatver, in which case the buildd for the
arch in question is paralized for days if not weeks. This happened already,
altough not with the m68k buildds i think.
> some scripting) while it would cost us much: auto-signing stuff is
> dangerous, as it requires connecting a machine with a key without
> passphrase, or that at least has the key unprotected in memory, to the
> Internet. There's a major difference, security-wise, and no noticeable
> difference in handling of the logs -- most of us actually sit close to
> their mailbox most of the day, and only when we sleep do successful logs
> have to wait a bit.
Yep, it usually works well, but we had cases where packages waited longer, and
this is what concerns me.
Friendly,
Sven Luther